Greyware's Membership Monitor (GWMM) adds valuable second-level protection to your Windows user groups by generating emails, logs, and audible alerts when there are any changes in the groups you select to monitor.

Once a LAN gets beyond the size where one administrator can handle all the changes -- especially with multiple sysadmins and account managers at multiple sites -- it becomes easy to lose track of which user is a member of which group. An unwanted or unauthorized change can go undetected for days or months, by which time the damage has long been done. And if your network has any security holes that allow users to promote themselves, you may never know what happened...the user can join a privileged group, access restricted data, then unjoin the group without leaving any sort of record behind.

Greyware's Membership Monitor prevents these kind of surprises. With a few simple clicks you can establish a monitor for any one -- or all -- user groups in your enterprise. Membership Monitor sits quietly in the background, watching for changes. When a monitored group has a member added or removed, the program sends email alerts.

In addition, Membership Monitor can keep a detailed log file, showing all changes to monitored groups.

Requirements

Runs on Windows XP, 2003/2003 R2, Vista, 2008/2008 R2, Win7, Win8, Win8.1, Win2012/Win2012 R2, Win10, Win2016. Both 32 and 64-bit versions provided.

Documentation

Membership Monitor is controlled by its Control Panel applet. To start the applet, find the Membership Monitor icon in the Windows Control Panel and click it.

The applet lets you set the options appropriate for your machine. Any changes you make will not take effect until you click the "Apply" button or close the applet. You do not need to reboot or stop and restart the service after making changes.

The Membership Monitor Control Panel Applet

Group Lists
When you start the applet, the program will attempt to display all user groups visible from the machine on which you are running Membership Monitor. If the machine is a member of a domain, the groups associated with that domain will be listed under a tab named for the domain. If the machine can discover and has rights to other domains (such as child domains), the other domains will be listed on their own tab. If the machine is a stand-alone machine, its groups will be listed under a tab named for the local machine.

Note:
By default, only domains that are discovered through Active Directory will automatically appear in their own tabs. If you have other domains with a trust relationship that allows interrogation of group accounts from the domain hosting Membership Monitor, then you may add them manually by editing the following key in the regsitry:

HKLM\SOFTWARE\Greyware\Membership Monitor\Parameters\Additional Sources

Enter the flat name (NetBIOS name) of each additional domain to enumerate, one name per line, i.e.

OTHER_DOMAIN
ANOTHER_DOMAIN
etc...

Restart the Membership Monitor service to apply the changes.

The groups listed are displayed based on Windows own internal domain group discovery methods. If your groups are not listed, you will need to verify that the machine's domain membership, Active Directory access, etc. are working correctly. You will also need to provide security credentials to each domain (see below).

Credentials
Membership Monitor needs sufficient rights to be able to read the security logs from domain controllers in each domain it monitors. Since the program runs as a background service, you will need to provide an account with Domain Admin rights to each domain you will be monitoring. You do this by clicking the Security Credentials for [DOMAIN] link on the bottom-left of each domain tab page. This brings up the Credentials Dialog.

The Credentials Dialog

IMPORTANT:
You MUST provide a valid credentials account for each domain you monitor. Membership Monitor will not be able to detect group changes without this access.

Monitoring Groups
To monitor a group for changes, simply click the group's checkbox. Membership Monitor will begin tracking members in in the group.

Keep in mind that group changes will not necessarily be visible immediately. The actual time it takes a change to become visible will depend on which domain controllers were involved with the change and the replication schedule of your domain. If you are looking for the fastest notification possible, you should run Membership Monitor on the PDC-Emulator.

See the Timings section of the Advanced Settings page for details on changing the polling rate and method to optimize notification rates.

Membership Monitor works with Windows Auditing to report the username of the account responsible for making changes. Membership Monitor will automatically enable the correct local policy to permit this (Security Settings | Local Policies | Audit Policy | Audit Account Management | Success) for you. However if you have group policies that override this setting, you will need to edit them to ensure the Success auditing remains enabled.

Setting the Alert Actions
When Membership Monitor detects a change to a monitored group, it will take the actions you specify to alert you or log the event. You may choose use the Default Actions or define custom actions for any group. The selected type of action for any group will be displayed in the Alert Actions column.

The Default Actions
The Default Actions are set using the Options -> Alert Options item from the applet menu.

The Default Alert Actions Dialog

Email Notifications
If you want email notifications for change events, you will need to click the Email Setup... button to define default email servers and recipients. You can also use the setup dialog to send test mails and to advanced email troubleshooting. You MUST have a default email user and email servers defined if you plan to use email notifications.

Custom Alert Actions
To define a custom alert action for any monitored group, right-click the desired group name and choose Set Custom Alert Actions... from the context menu.

The Custom Alert Actions Dialog

Changes you make here will override the Default Alert Actions settings (the Default settings are shown in light grey). If you want to ensure an action occurs even if the Default Actions change, change a setting so the checkbox is solid black. To be sure an action does not occur, be sure the checkbox is cleared completely.

Audible Alert Options
You may want to have an audible alert when your monitiored groups change. To enable this option, choose Options -> Audible Alert Choices... from the applet menu.

The Audible Alerts Dialog

Note: You must have the System Tray applet loaded in order to hear audible alerts. See the System Tray Icon section of the Advanced Settings page to enable/disable the tray.

Logging Options
Membership Monitor has the ability to write data to several types of logs:

Service Text Logs
Syslog
Windows Event Logs (set on the Alert Actions dialogs (see above)

Set the options for each type of log by choosing their dialog screens from the Options menu.

Advanced Settings
Pick the Options -> Advanced Settings... from the applet menu to set the following options:

The Advanced Settings Dialog

Timings
Membership Monitor obtains information about changes to groups and who made the changes by polling domain controllers. The main polling functions happen on the schedule set here.

You will want to set a schedule that alerts you in a timely manner but does not result in excessive network activity. On most networks, this will not be a concern, even at a high polling rate, but if you have underpowered systems or have a very large network with groups with many hundreds or thousands of members, you will want to moderate this setting.

Quick Navigation;